April Fools!??? waled ac.cn TrojanC Registry Value

[HopefulBeliever]

So here I am again...and I have tried my best to keep my computer updated and safe, thanks to u guys and your advice. Yesterday when I first heard of this fools day-conicker worm, I came in ran updates and scans...all was well...I ran my scans this morning too (tuesday 3/31) about 11:30 P.M. I found a kid on the comp (I forgot to log off, my bad) I started running updates, when I ran malwarebytes update, during it's installation, spybot popped up a warning that it found "waled ac.cn" in a system32 folder/file? So than I ran spybot and lo and behold, I am Infected! :slap:
I clicked on "Fix selected problems" but if this is anything like the past infections I had back in Dec. '08 than I doubt it's gone.
I also want to let u know, last time I had a prob, it was discovered my windows XP was not legal, I have since remedied that, paid 159.00 to legalize it :bigthumb:

so thanks in advance, here is my HJT Log::

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:26:19 AM, on 4/1/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (file missing)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234136263328
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

--
End of file - 7896 bytes

 

[Blade81]

Hi there,

Generate an Uninstall List

* Open HijackThis
* Click on Open Misc Tools Section
* Click on Open Uninstall Manager
* Click on Save list
* Save it to your Desktop
* Post it on your next reply.


Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Read the requirements and privacy statement then click on the Accept button.

• The program will launch and start to download the latest definition files.

• You will be prompted to install an application from Kaspersky. Click Run

• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
• Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives

• Click on My Computer under Scan.

• Once the scan is complete, it will display the results. Click on View Scan Report.

• Click on Save Report As....

• Change the Files of type to Text file (.txt) before clicking on the Save button.

• Save this report to a convenient place.

• Copy and paste that information & a fresh hjt log into your topic.

• The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.

If you need a tutorial, see here

 

[HopefulBeliever]

started...but ran into some probs

Hi Blade I was so happy to log in this mornin' and see I had a reply...yay!!!

I have the uninstall log, I turned off (I think) av programs...when I exit AVG, which is the only option I can find to turn it off, I am unsure it is actually turned OFF, because I don't get a warning from microsoft telling me my anti virus program is turned off...

Now...the actual real prob I ran into is...I downloaded Kapersky, followed your directions to the T... well, I unexpectedly had to make a trip into town, so I minimized the scan...would u believe it disappeared!!! I left the comp running and it was still gone when I returned, an hour later. I started to restart the comp and start from the beginning and it mysteriously re-appeared :laugh:
The scan was running along just fine and had found 1 Threat Name and 1 infected object, about 5 mins later when scan was 37% complete my comp froze!!!! (My comp freezing up is an issue I have had off and on since I got this PC) There are some persistant issues with this comp I am hoping to get help with when we are finished with the cleaning, if you have the time to help me with that too... I am unsure if they have anything to do with being infected
I have not yet started over, as my phones have rang more today than I think they have in a week!!! Been spring cleaning and trying to get ready for my sons 17th Birthday tomorrow... 'nough about my life :

I am gonna go ahead and post the Uninstall log now, thought maybe it wouldn't hurt since I did get that far

I'll be back with the rest of the required info as soon as I am able to complete it

Have a nice day Blade
_________________________________________________________________

ABBYY FineReader 6.0 Sprint
Acrobat.com
Adobe AIR
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Reader 9.1
Apple Mobile Device Support
Apple Software Update
AVG 8.5
Critical Update for Windows Media Player 11 (KB959772)
Easy CD & DVD Creator 6
ERUNT 1.1j
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HSP56 MR Drivers
iTunes
Java(TM) 6 Update 11
Lexmark 2500 Series
Lexmark Fax Solutions
Lexmark Toolbar
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.8)
MSN
QuickTime
RealPlayer Basic
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB904942)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinZip
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger

 

[HopefulBeliever]

I am lookin' for a sledge hammer!

Good mornin' Blade...

well...since my last post, I have unsuccessfully tried running Kapersky 2 more times, my comp didn't freeze, but...both times the scan itself seemed to have froze/stalled ,,,just plain quit running :slap:
I have rebooted the comp and walked away for a while, cuz my patience is being tried :hair:
before I rebooted, I opened AVG updated and checked the logs there, I did find in componants (AVG webshield findings) this blocked item from 3/29...
"Exploit MDAC-ActiveX-Code execution type290-ashiping/?sid=aff0048"
That must of happened in the background because I never had a warning about it ...

I am going to try running Kapersky one more time and hopefully will have a log posted for you by the time you are reading this...

sincerely
Julia

 

[Blade81]

Hi Julia,


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6 Update 13.
• Click the
  Download
  button to the right.
• Select Windows on platform combobox and check the box that says:
  Accept License Agreement. Click continue.
  
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.

Let's see if we get better results with another online scanner in case Kaspersky still got jammed.


* Go here to run an online scanner from ESET.

• Note: You will need to use Internet explorer for this scan
• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Click Start
• Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
• Make sure antivirus program is disabled and click Scan then.
• Wait for the scan to finish
• Copy and paste that log as a reply to this topic, along with a new HijackThis log & a description of any remaining problems.

If scanner gets stuck, it's recommended to defrag hard drives and then try scanning again.


Happy Birthday to your son resent:

 

[HopefulBeliever]

a lil less stressed

Hi Blade...thanks for the B-Day wish

I updated Java, I thought it was already
Kapersky did finish running the scan w/ no interruptions, found the 2 items I mentioned in earlier post, BUT :lip: would not bring up the report...just a blank page and a banner at the top in red, telling me I am infected,...so I am going to run this other scan you suggested. My IE has not been updated to IE8, I hope this is ok, because I am unsure if I should do that at this time.

If scanner gets stuck, it's recommended to defrag hard drives and then try scanning again.

see the defrag program is something that seems to not be ok with this system, I actually ran it about a week ago, but all files did NOT defrag. Ever since I got this comp (built; not new) it was freezing up and when restarted, goes to disk check, tells me it is checking "Csystem:Fat32 volumes#2D2A-IEE7" which I think is or has something to do with the defrag program

Now in december when my comp was infected and PSKelly helped me, this problem went away but has since returned, along with a pop-up telling me virtual memory is low, with almost everything I try to load, but that hasn't been happening since I ran spybot and malwarebytes, and posted for help here...
makes me think there may of been a vulnerability built into this system, I hope it wasn't intentional :sad:

OK Blade Hopefully I will be back with ALL the Logs u need

if you get back here b4 I do, do you want me to post the uninstall list again?

 

[Blade81]

goes to disk check, tells me it is checking "Csystem:Fat32 volumes#2D2A-IEE7" which I think is or has something to do with the defrag program

That sounds more like error checking in action Actually might be good to run one by following instructions here ('my computer' -option).

Now in december when my comp was infected and PSKelly helped me, this problem went away but has since returned, along with a pop-up telling me virtual memory is low, with almost everything I try to load, but that hasn't been happening since I ran spybot and malwarebytes, and posted for help here...

How much memory does the system have installed in?

if you get back here b4 I do, do you want me to post the uninstall list again?

No need to repost it

 

[HopefulBeliever]

Not Hopeful

Hi Blade...I did just let the system check run, on restart as it almost always does if my comp freezes up

My comp doesn't have the memory I wish it did, it is only 256 mb

Now...I was running the ESET scan, it found the virus, it was only 10% complete and shut my comp off!!! :sad:

Here is the info it did retrieve:

Win32/Bagle.gen.zipworm

I am thinkin' this is NOT good, and am doing nothing else til I hear from you again

awaiting your reply

Julia

 

[Blade81]

My comp doesn't have the memory I wish it did, it is only 256 mb

Hi

That's why you see occasionally the notification about low virtual memory. Recommended memory amount for XP is 512 mb.

Maybe running disk check as mentioned in my previous post combined with defragging would make scanner work. Also AVG should be disabled as you assumably had on earlier runs. Personally I recommend free JkDefrag for defragging.

 

[HopefulBeliever]

Also AVG should be disabled as you assumably had on earlier runs.

well I searched and searched, the only option I found in AVG to disable it was to exit it, do u have any advice...somethin' I am overlooking?

Thanks Blade

 

[Blade81]

Hi

Please see AVG Resident Shield disabling here

 

[HopefulBeliever]

coolness...thanks

I have Kapersky running smoothly and it is about 20 mins to completion I am hoping for the results needed

 

[HopefulBeliever]

well...apparantly I dont have avg disabled, after looking how to disable it... so u think I should cancel this scan and start over or not?

 

[HopefulBeliever]

finally success...

Goodmornin' Blade

We have a success on this step :yahoo:
I felt kinda dumb, I knew about disabling avg, b4...musta slipped my memory banks
I always have a full plate and than some...kinda gets overwhelming :thud:
So,,,I have the log from running Kasperky w/avg on and off...they are exactly the same :blink:

It's a lil strange to me, that Spybot found "waled ac.cn TrojansC"and found no info about it

malwarebytes found "Malware.Trace RegistryKey-HKEY_CURRENT_USER/SOFTWARE/Microsoft/cs41275"

ESET; even tho it didn't complete found Win32.Bagle.gen.zip worm"

Kapersky found C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1...I am pretty sure I removed everything to do with aol a long time ago :scratch:
Well...you know better than I, that's why we're here now

Here are the requested logs::
Kapersky-

--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, April 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, April 08, 2009 04:23:26
Records in database: 2021814
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: no

Scan area - My Computer:
A:\
C:\
E:\
F:\

Scan statistics:
Files scanned: 43392
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:47:03


File name / Threat name / Threats count
C:\Program Files\Common Files\aolback\Comps\toolbar\toolbr.exe Infected: not-a-virus:AdWare.Win32.SearchIt.t 1

The selected area was scanned.

________________________________________________________________

New HJT Log-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:36 PM, on 4/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2500 Series\lxddmon.exe
C:\Program Files\Lexmark 2500 Series\lxddamon.exe
C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"
O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1234136263328
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos-beta/OnlineScanner.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxddCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe

--
End of file - 7371 bytes
______________________________________________________________-

...so time for me to rest my weary brain :buried: lol

Talk to ya soon
and thanks again :friend: for your expertise and your patience :

 

[Blade81]

So,,,I have the log from running Kasperky w/avg on and off...they are exactly the same

Hi

Yes, only reason to disable AVG was to make scanning progress little faster

If you have removed AOL then there're some leftovers there which can be cleaned next.

Uninstall AOL related items thru add/remove programs.

Start hjt, do a system scan, check (if found):
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

Close browsers and fix checked.

Delete following folders if found:
C:\Program Files\AOL Toolbar
C:\Program Files\Common Files\aolback

Now that you know how to disable AVG shield you might want to try ESET scanner one more time.

 

[HopefulBeliever]

where to go from here...

Start hjt, do a system scan, check (if found):
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

Close browsers and fix checked.

Done

Uninstall AOL related items thru add/remove programs.

can't find anything related to aol IN add/remove programs
What about AbbyReader? I am not even sure where it came from, what program uses it, if any...it sure is taking up a lot of room

Delete following folders if found:
C:\Program Files\AOL Toolbar
C:\Program Files\Common Files\aolback

I found some aolback files by running a search on my comp, however the search found nothing when I searched for 'aol/toolbar' I am attaching a log of that search::
well...nvm I opened the search I saved and it was empty? searched again and the search came back no results found, I wrote it all down so here is what I found and what happened::

"aolback.eve C:\windows 1KB shortcut"
when i tried to delete it, get a message to go to add/remove programs to completely delete, but it is NOT in add/remove programs

plugin4336537468967334656...C/Documents settings\Bill\ApplicationData\Sun\Java\Deployment log-100 KB Text Document-created 4-7-09"

so I assume this has something to do with one of the av scans you had me run or when I updated Java? I did not delete because I am unsure

I found an aol extras folder in my documents, it won't let me delete it, I found some other aol stuff in documents that seem to be part of the operating system?

I tried to use the dfrag tool you gave me the link to, but can't seem to even install it, it keeps wanting to use "WinZip" to unzip the file, but it is unsuccessful in doing so

I tried running the ESET scan again, it got to 10% and shut my comp off again...it did find the same virus? I listed previously "Win32.Bagle.gen.zip worm"
a few days ago (after I posted here in forums) I ran spybot to see if it was showing any infections...my comp was shut down during that scan also

Thanks Blade

Julia

 

[Blade81]

What about AbbyReader? I am not even sure where it came from, what program uses it, if any...it sure is taking up a lot of room

Hi

If you don't use it then uninstalling won't probably do any harm

I believe that system shutdowns may be hardware related. One theory is that system heats up and overheating protection shuts the system down. Could it be possible to see what item ESET sees as infection? Also, it has to be kept in mind that the finding may be a false positive.

Were you able to find these folders:

C:\Program Files\AOL Toolbar
C:\Program Files\Common Files\aolback

 

[HopefulBeliever]

Hi Blade

I didn't find those aol folders...I don't have time to work on this until tonight I am heading out of town for the day

Have a nice one
Julia

 

[HopefulBeliever]

Hi Blade

I did delete the one aol item u recommended to remove found in the HJT log

I cant find any aol stuff on my comp, however I do find some items when I run a search for anything with aol, I have tried twice to save that info to show you, but am unsuccessful ...I dunno

I ran a malwarebytes full scan, it came back clean...avg has not found any infections since I started this thread...

I would agree with you about the shut downs being a hardware, over heating problem...except for the fact, it never happened b4 I started this thread and it seems to happen at the exact same point in the two scans I have ran when the comp completely shuts off

I don't know what item ESET is finding the virus? or when spybot shuts down...I can run ESET again and cancel the scan when it finds the virus? before it shuts my comp off, than maybe I can find that item

whatcha think?

Have a Blessed Day

Julia

 

[Blade81]

I don't know what item ESET is finding the virus? or when spybot shuts down...I can run ESET again and cancel the scan when it finds the virus? before it shuts my comp off, than maybe I can find that item

Does Spybot shut down too? I thought only ESET scanner did. You could try running ESET like you suggested and cancel the scan before system shuts down.